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We analyze the security of quantum cryptography schemes for d-level systems using 2 
or d + 1 maximally conjugated bases, under individual eavesdropping attacks based on 
cloning machines and measurement after the basis reconciliation. We consider classical 
advantage distillation protocols, that allow to extract a key even in situations where 
the mutual information between the honest parties is smaller than the eavesdropper's 
information. In this scenario, advantage distillation protocols are shown to be as powerful 
as quantum distillation: key distillation is possible using classical techniques if and only 
if the corresponding state in the entanglement based protocol is distillable. 
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1. Introduction 

Quantum Cryptography (QC) is a physically secure protocol to distribute a secret key between 
two authorized partners, Alice and Bob, at distant locations [1]. Its security is based on the 
no-cloning theorem: if Alice encodes the correlation in the state of a <i-dimensional quantum 
system (qudit) that she sends to Bob, an eavesdropper Eve cannot extract any information 
without introducing errors. By estimating a posteriori the errors in their correlations, Alice 
and Bob can detect the presence of the spy on the line. Of course, zero error can never be 
achieved in practice, even in the absence of Eve. By continuity, if the error is "small" one 
expects that it will still be possible to extract a secret key from the noisy data [2]. At the 
other extreme, if the error is large, then Eve could have obtained "too much" information, 
so the only way for Alice and Bob to guarantee security is to stop the protocol and wait for 
better times. It becomes then important to quantify the amount of error that can be tolerated 
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on the Alice-Bob channel: this value measures the robustness of a QC protocol. 

The problem of the extraction of a secret key from noisy data is of course not specific 
of quantum key distribution (QKD). In a typical cryptography scenario, Alice, Bob and Eve 
share N independent realizations of a triple (a, b, e) of classical random variables, distributed 
according to some probability law, P(A, B, E). The variables a and b are both d- valued, we 
say that Alice and Bob encode their information in dits. Eve can always process her data to 
obtain the optimal guesses for the values of a and b, e a , e^, with e x the d- valued guess for x. 
From P, one can in particular calculate the mutual information: 

I{A:B) = H{A) + H(B)-H(AB), (1) 
I(A:E) = H(A) + H(E A ) - H(AE A ) , (2) 
I(B:E) = H(B)+H(E B )-H(BE B ), (3) 

where H is the Shannon entropy, measured in dits, e.g. H(A) = — J2k=o P( a = ^) l°Sd P( a = 
k). 

To extract a secret key from the raw data means that Alice and Bob are able to process their 
data and communicate classically in order to end with n < N realizations of new variables 
(a',b',e') such that asymptotically I (A' : B') = 1, and I(A' : E') = I(B' : E') = 0. In other 
words, the processed variables must be distributed according to a probability law P' of the 
form P'(A' ,B')P'(E), with P'(a' = b') = 1. To date, no necessary and sufficient criterion 
is known to decide whether a secret key can be extracted from a given classical distribution 
P(A, B, E). Basically two results are known: 

CK criterion. If I(A : B) > I E = min[/(A : E),I(B : E)], then a secret key of length 
n = [I (A : B)—Ie] N can be extracted using one-way classical data processing. This theorem, 
given by Csiszar and Korner in 1978 [3], formalizes the intuitive idea that if Eve has less 
information than Bob on Alice's string (or, than Alice on Bob's string), the extraction of 
a secret key is possible. It consists of the following two steps: error correction followed by 
privacy amplification [4]. The whole process is done using unidirectional communication. 

AD criterion. Even if I(A : B) < Ie however, in some cases a secret key between Alice 
and Bob can be extracted. This is because (i) Eve has made some errors, her information 
is bounded, and (ii) Alice and Bob share a classical authenticated and error-free channel: in 
other words, Eve can listen to the classical communication but can neither modify nor even 
disturb it. These protocols were introduced in 1993 by Maurer [5], who called them advantage 
distillation protocols. They require two-way communication between Alice and Bob and are 
rather inefficient. Very little is known about the conditions (for instance, in terms of Eve's 
error probability or information) such that a key can be distilled using these protocols. 

Most of the works of QC define robustness by using CK. AD protocols in QC were consid- 
ered a few years ago by Gisin and Wolf [6], who studied the case of qubit encoding (d = 2). In 
this paper, we analyze QC protocols with d-level quantum states or qudits [7] under individ- 
ual attacks based on cloning machines. In Section 2, we describe our scenario: the protocols 
and the individual attacks considered. We also present the entanglement based version of all 
these protocols. Indeed, although entanglement is in principle not required for a secure key 
distribution, it is known that any QKD protocol can be easily translated into an analogous 
entanglement based protocol. In Section 3, we generalize the result of Gisin and Wolf to the 
case of qudits: we show that, under our assumptions, classical advantage distillation works 
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for c?-level protocols if and only if the quantum state shared by Alice and Bob before the mea- 
surement in the corresponding entanglement based protocol is entangled and distillablc. In 
Section 4, we discuss the link between the CK criterion and the violation of Bell's inequalities, 
noticed for qubits in Refs [8, 9]. Section 5 is a conclusion, in which we review some interesting 
open questions. 

2. QC with qudits 
2.1. The protocol 

A general scheme for QC with qudits, generalizing BB84 protocol for qubits [10], has been 
presented by Cerf et al. [7] . Central to this development is the notion of mutually unbiased 
bases: two bases B\ = {\k)} and B 2 = {10} are called unbiased (or maximally conjugated) 
if |(fc|Z)| 2 = i f° r ah vectors in each basis. For qudits, one can find at most d + 1 maximally 
conjugated bases [11]. Once a computational basis B\ = {|0), |1), \d — 1)} is arbitrarily 
chosen, one can always construct at least one unbiased basis, the so-called Fourier-dual basis 

\i) = -L fy- fc ^| fc) . (4) 

Let B = {Bi, ...,B n }, with 2 < n < d + 1, a set of n mutually unbiased bases, where B\ 
is chosen as the computational basis. Alice prepares at random one state belonging to one 
of these bases and sends it to Bob. Bob receives the qudit, and measures it in one of the 
bases of the set B. Then, (i) if Alice and Bob use the same basis, their results are perfectly 
correlated; (ii) if they use different bases, their results are totally uncorrelated. Later, they 
reveal publicly the basis that they used: they keep the items where they used the same basis 
and discard the others. So, after this sifting procedure, Alice and Bob are left with a fraction 
i of the raw list. In the absence of any disturbance, and in particular in the absence of Eve, 
these dits are perfectly correlated. 

It is straightforward to construct the corresponding entanglement based protocol [12, 13]. 
Alice prepares a maximally entangled state 




keeps one qudit and sends the other to Bob. The maximally entangled state is maximally 
correlated in all the bases, since for all unitary operations U <E SU(d), 

{U® U*)\$) = |$). (6) 

After the state distribution, Alice and Bob measure at random in one of the bases of B 
(more precisely Bob's set of bases is £>*). They announce the measurement bases. Only those 
symbols where they chose the same basis are accepted, giving a list of perfectly correlated 
dits. Note that Alice's measurement outcome is completely equivalent to the previous state 
preparation. 

For the rest of the article, and for consistency in the presentation, we will mainly concen- 
trate on entanglement based protocols. But it has to be stressed that some of the ideas are 
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especially meaningful for protocols without entanglement. For instance, whenever we speak 
about classical key distillation protocols, we also refer to protocols without entanglement. 

2.2. Generalities about Eve's attacks 

Now we must study Eve's attacks on the qudits travelling to Bob. To find the most general 
eavesdropping attack for a QC protocol is a very hard problem. In this article we restrict our 
considerations to individual attacks: first, Eve lets the incoming qudit interact in a suitable 
way with some auxiliary quantum system she has prepared in a reference state \R). Then she 
lets the qudit go to Bob and stores her system. When Alice reveals the bases, Eve performs 
the measurement that allows her to gain some information about the qudit. Note that: (i) 
no coherent attacks will be considered, (ii) Eve is supposed to measure her system after the 
basis reconciliation and (iii) the individual attack does not change from symbol to symbol [4] . 
Thus, after Eve's intervention, the total quantum state reads 

\*)abe = (1U ® U BE ) ® \R) E . (7) 

Since Eve does not modify the local density matrix pa = of Alice, we have H (A) = 1 
. We also focus on attacks such that Eve introduces the same amount of error in all bases: 
P{a ^ b\Bi) = D for all i — 1, j. Indeed, it was proven in [14] that, given an asymmetric 
eavesdropping strategy, one can always design a symmetric attack as powerful as it. The 
mutual information Alice-Bob is thus simply 

I(A:B) = 1 - H({D, 1 - D}) . (8) 

To go further, one must find Eve's optimal individual attack. Since Eve can gain more infor- 
mation by introducing larger errors, it is natural to optimize Eve's attack conditioned to a 
fixed amount of error D in the correlations Alice-Bob. This implies that, after optimization, 
P(A, B, E) is ultimately only a function of D, and the condition for Alice and Bob to extract 
a secret key will be of the form D < D, for a bound D to be calculated. If Alice and Bob 
find D > D, they simply stop the protocol. Therefore, the value of D does not quantify 
the security, but the robustness of the protocol. If D turns out to be very small, the QKD 
protocol is not practical. According to whether we use the CK or the AD criterion to quantify 

the robustness, we shall find two different robustness bounds, D CK and D AD , with of course 
d ck < d ad 

The question is: which quantity should the individual attack "optimize"? It is commonly 
accepted that we must maximize the mutual information Alice- Eve I(A : E) and/or Bob-Eve 
I(B : E) — it will turn out that the optimal incoherent eavesdropping yields I ( A : E) = 
I{B : E). We follow this definition, although, as one of the conclusions of this work, it 
will be stressed that different optimizations are worth exploring. Even if now, with all our 
assumptions, the problem of finding Eve's attack is formulated in a more precise way, the 
optimal attack is still not easy to find. We analyze the individual attacks based on cloning 
machines given in Ref. [7]. These individual attacks are proven to be optimal for d = 2, 
with two [9] and three bases [16], and d — 3 and four bases [17]. For larger d, they are 
optimal under the assumption that Eve's best strategy consists of using one of the cloning 
machines described in [18]; this assumption seems plausible but has not been proven. The 
next subsection describes these attacks. 
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2.3. Cloning machine eavesdropping 

Following Cerf et al. [7], we consider only 2-bases protocols, choosing the two basis as Fourier- 
dual of one another, and (d + l)-bases protocols [15]. These are the natural generalizations, 
respectively, of the BB84 [10] and of the six-state [16] protocols for two qubits. 

The evolution induced by Eve's action is built using the cloning machines introduced 
in Rcf. [18]. The reference state for Eve is the maximally entangled state of two qudits, 
\R) = 1$). The initial state \®) AB \®) E E is scnt onto 

d-1 

\*)abe iE2 = E a ^nU r i B im AB u^;_} n m EiE2 (9) 

m,n— 

where U m _ n is the unitary operation that acts on the computational basis as 

U m , n \k) = e 2mkn / d \(k + m)modd) . (10) 
In other words, U mn introduces a phase shift measured by n and an index shift measured 

( (E ) 

by to. Um,n and _ n indicate that these transformations apply to Bob's and Eve's second 
system. The coefficients a mj „ are determined by imposing the requirements discussed above 
(same amount of errors for all bases), and then optimizing Eve's information for a given error 
D. The detailed calculation of these coefficients can be found in [7]. Writing F = 1 — D, the 
fidelity of the cryptography protocol, one finds for the 2-bases protocol, 

«o : o = F ; 

a m ,o = a , n = x = \J~^Ep- form,n^0; (11) 
a m ,n =V= ^zf for to, n 7^ . 

For the (d + l)-bases protocol, one finds 

_ /(d+l)F-l 

«o,o =v= ^ j ; 
a m , n =z = for to ^ or n ^ 

Note that the states \B m ^ n ) = [1 (g) U m . n ]\<&) are mutually orthogonal — in fact, they form a 
basis of maximally entangled states of two qudits. In particular then 

d-1 

PAb(F) = E \ a m,n( F )\ 2 \ B m,n)(B m ,n\- (13) 
m.n—0 

The transformation defined by (9) can be seen as a cloning machine, where Bob's state is 
the state to be copied, the first qudit of Eve, E\ , is Eve's clone, and her second qudit E 2 is 
the ancilla. After this interaction Eve waits for the basis reconciliation. Once the used basis 
has been announced, Eve can gain partial information about Alice's and Bob's symbols by 
measuring her two qudits. We will consider the measurements discussed in Ref. [7] for both 2- 
bases and (d+ l)-bases protocols that maximize Eve's information. These measurements also 
minimize Eve's error probability and are an example of the so-called square-root measurements 
[19]. It turns out that (i) the measurement on E\ gives the estimate e a for Alice's dit; (ii) 
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the measurement on E2 gives deterministically the value of the error introduced on Bob's 
side, x — b — a. Since Eve deterministically knows the difference between Alice's and Bob's 
symbols, she has Iae — Ibe- 

We have presently collected all the tools we need to study the robustness bounds D AD 
(Section 3) and D (Section 4) on QC protocols with entangled qudits. 

3. Advantage distillation and distillation of entanglement 

In this Section, we prove the following 

Theorem: Let D AD and D ED denote the two bounds: (i) a secret key can be extracted by 
advantage distillation for D < D AD , and (ii) pab(F) is distillable for D = 1 — F < D ED . 
Then, for any d, and for both the 2-bases and the the [d + l)-bases protocols, 

D AD = jjED (u) 

In words: advantage distillation protocols can be used to extract a secret key if and only if 
the state pab (13), obtained after the cloning based attack, is entangled and distillable. 

Actually, we have rigorous proofs for the d + 1-bases protocols for all dimension and for 
the 2-bases protocols up to d = 15. For two bases and d > 15 the validity of the theorem is 
conjectured. 

The meaning of this result is schematized in Fig. 1. We start with a quantum state 
\^)abe> an d want to end up with a probability distribution P(A, B)P(E) with P(a = b) = 1. 
In the Introduction, we considered the following protocol: (i) the state is measured, giving 
P(A, B, E) [20]; (ii) Alice and Bob process their classical data, using AD, to factor Eve out. 
Let us again emphasize here that no entanglement is actually required for distributing the 
probabilities P(A, B, E). But one can as well consider quantum privacy amplification: (i') 
Alice and Bob distill a maximally entangled state |$), and since pure state entanglement 
is "monogamous" Eve is certainly factored out; (ii') They make the measurements on 
and obtain the secret key. Our Theorem thus means that these two protocols work up to 
exactly the same amount of error D. In other words, as far as robustness is concerned, there 
seem to be no need for entanglement distillation in QC, one can as well process the classical 
information. 



Measurements 



Quantum 
Distillation 



- P(A,B,E A ,E B ) 



Classical 
Distillation 



— Secret key 



Measurements 



Fig. 1. Diagram illustrating the meaning of (14): the two protocols "measure the state, then apply 
advantage distillation" and "distill the entanglement, then measure the state" work up to the same 
amount of error in the correlations Alice-Bob. 
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The proof of the Theorem is given in two steps: 

Step 1 (subsection 3.1): we calculate D ED at which pab ceases to be distillable. We also 
prove — for all the (d + l)-bases protocols, and numerically for the 2-bases protocol up to 
d = 15 — that pab becomes separable at that point, that is, for no value of D the state pab 
is bound entangled. 

Step 2 (subsection 3.2): we construct an advantage distillation protocol that works for all 
D < D ED , so that D AD > D ED . 

These two steps conclude the proof of (14), taking into account the following result [21]: 
If \^) A be is such that pab is separable, then, whatever Alice and Bob do, there exists a 
measurement of Eve such that the intrinsic information Alice-Bob for the derived probability 
distribution P(A, B, E) 

I{A:B[E) = inf I(A : B\E) (15) 

E^E 

goes to zero. In fact, the vanishing of the intrinsic information implies that no secret key 
can be extracted [21]. Since for D — D AD the quantum state shared by Alice and Bob is 
separable, Eve can simply apply this measurement preventing Alice and Bob to establish a 
key. 

One may wonder whether, at this critical point, the measurement maximizing Eve's in- 
formation is also optimal from the point of view of the intrinsic information. This sounds 
very plausible. We explore this possibility in subsection 3.3: for the (d+ l)-bases and 2-bases 
protocol with d — 3, we construct explicitly the channel E — > E that Eve must apply to her 
data in order to obtain I(A : B\E) = 0. For the 2-bases protocol and d = 2, the channel was 
given in Ref. [21]. 

3.1. Step 1: Entanglement distillation 

We want to study the entanglement distillation properties of pab for both 2-bases and (d+ 1)- 
bases protocols. In order to do that, we first calculate its partial transposition. It is well known 
that a state with positive partial transpose (PPT) is not distillable [22]. This would define a 
critical D, denoted by D ED , above which the state cannot be distilled. Moreover, we will see 
that below this value the fidelity of pab with a two-qudit maximally entangled state satisfies 

($\ P AB(F)\<t>) > - d . (16) 

This condition is sufficient for distillability [23]. Therefore, pab is distillable if and only if 
D < D ED , i.e. the non-positivity of the partial transposition is a necessary and sufficient 
condition for the distillability of states (13). 

3.1.1. (d + l)-bases protocols 

Inserting (12) into (13), we find that for the (d + l)-bases protocols the state of Alice and 
Bob after Eve's attack is simply 



Pab(F) = A|*)<$| + (l-A)4 



(17) 
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2 = d ^_i . The smallest eigenvalue of the partial transpose p T A A B is simply 
X m in = A(— 4) + (1 — A) = 1 ~(^" 1 ) A ) where —\ is the minimal eigenvalue of (|<J>)(<E>|) Ta . 
The partial transpose p AB is non-negative if \ m in > 0, that is if A > ^j-j- or equivalently 
F > ^j-p This is precisely the range of value of F for which (16) docs not hold. We have 
thus proven that: 

(d+l)-bases: = . (18) 

Moreover, a state of the form (17) cannot be bound-entangled, i.e. the positivity of its partial 
transposition is equivalent to separability [23] . 

3.1.2. 2-bases protocols 

Inserting (11) into (13), and noticing that x 2 — Fy, we find that for the 2-bases protocols the 
state of Alice and Bob after Eve's attack is 

Pab(F) = (F 2 -y 2 )|$)($| + y 2 t + 

+ (F-y)y(Y, P ^ + T, P ^) ( 19 ) 

where P m ,n — \B m , n )(Bm,n\, and recall that y = : jzy- ^ n the computational product basis 
we have: 



d(kk\ P AB(F)\kk) = F 

d(kk'\ P AB(F)\kk') = y 

d{kk\ P AB(F)\k'k') = F(F-y) 

d(kk'\p A B(F)\j f) = y(F -y)5 {k _ k r hU _ J r ) 



(20) 



where fc,fc', j, f e {0,1, ...,d-l}, k' ^ k and j ^ k. Note that for F = F it holds y = F(F-y), 
that is (kk'\p AB (F)\kk') = (kk\p AB (F)\k'k') 

Condition (16) is fulfilled for F > F — so certainly D ED > 1 — Now we should 
prove that strict equality holds, by proving that pab(F) is PPT. For d = 2, that is for the 
entanglement version of the BB84 protocol, the calculation is particularly simple and it has 
been proven in [6] . Note that because for two qubits the negativity of the partial transpose 
is necessary and sufficient condition for entanglement, pab(F) is also separable. For d > 3 
we have demonstrated numerically (see Appendix A) that pab(F) is indeed PPT. So we can 
conclude 

2-bases: £>f D = 1 - . (21) 

v d 

For d = 3, . . . , 15, we can numerically prove (see Appendix B) that pab(F) is separable too. 
Indeed, it seems very plausible that PPT is a necessary and sufficient for separability when 
the states are diagonal in a basis of maximally entangled states, as it happens for pab (13). 

3.2. Step 2: Advantage distillation protocol 

We turn now to prove that advantage distillation works for all D < D ED . This can be done 
by generalizing the advantage distillation protocol described in Ref. [6] for qubits. It works as 
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follows: Alice wants to establish the secret dit X with Bob. She considers ./V items of her list, 
{a,!, di N }, and sends to Bob on the public channel the list {ii,...,ijv} and the numbers 
{a,i k } such that a ik + a ik = X. Bob takes the corresponding symbols of his list, {b il , 6 ijv } 
and calculates b ik + a ik . If he finds the same result Y for all k, he notifies to Alice that the 
dit is accepted; otherwise, both discard the N symbols. This protocol shows the features that 
we discussed for advantage distillation protocols: it requires two-way communication (Alice 
must announce and Bob must confirm), and its yield is very low with increasing N. As far 
as Eve is concerned, she can only listen to the communication and compute from her list 
ei k = ei k + di k . If Bob accepts, she cannot do better than a majority guess. 

Now, recall the purpose we want to achieve: we start in a situation in which I(A : E) = 
I(B : E) is larger than I {A : B), and we want to reverse this situation in order to enter the 
region in which the much more efficient one-way protocols can be used. Thus, we want to 
show that, after running the above protocol with N sufficiently large, the much shorter lists 
of dits arc such that Bob's error (5m in guessing Alice's dit has become smaller than Eve's 
error cat (noted 7^ in [6]). So now we must estimate (3n and ejv- 

Bob accepts a dit when either all his symbols are identical to those of Alice, which happens 
with probability F N , or all his symbols are different from Alice's by the same amount, which 

happens with probability = {d — 1) I -j^j ) . Thus, the probability of Bob accepting a 
wrong dit, conditioned to the acceptance, is 

»" - ^T^s^-'Kra)"' (22) 

Note that in the limit of large N the previous expression becomes an equality. 

It is more tricky to obtain an estimate for en- When Bob accepts a symbol, Eve makes a 
majority guess. Of course, there are enormously many possibilities for Eve to guess wrongly, 
and it would be very cumbersome to sum up all of them. The idea is rather to find those 
errors that are the most frequent ones. We shall obtain a bound cat which is smaller than the 
true one, but very close to it for large N (equal when N — > 00). The estimate is based on 
the following idea: before the advantage distillation protocol, Eve is strongly correlated with 
Alice and Bob. On the one hand, this implies that when one symbol is more frequent than 
all the others in Eve's processed E list, it will almost always be the correct one. On the other 
hand, it is very improbable that three or more symbols appear with the same frequency in 
the E list. All in all, the dominating term for Eve's errors should be associated to the case 
where two symbols appear in E with the same frequency, in which case Eve guesses wrongly 
half of the times. 

Suppose then that two symbols x and x' appear M times in E, and all the other d — 2 
symbols appear M' — N 7™ ■ Suppose now that one of the two symbols is the good one: 
this is highly probable when M > M', and a situation in which M' > M is very unlikely to 
happen. Moreover, we suppose that a ik = b ik = x (the other situation, a ik = b ik + c = x, 
adds only corrections of order /3jv)- The probability that E contains M times x and x' and 

/ \ N-M 

M' times all the other values is S M I ) where S is the probability that Eve guesses 
correctly Bob's dit, conditioned to the fact that Alice's and Bob's dits are equal. As we said, 
half of the times Eve will guess x correctly, and half of the times she will guess x' wrongly. 
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Adding the combinatorial factor that counts all the possible ways of distributing x and x' 
among the d symbols we obtain the estimate 



1 ^ Nl rM fl-S\ N - M , 

m=o(M!) 2 (^fi)! 



and applying Stirling's approximation (x!) m ~ we find the asymptotic behavior 

e N > ^2^+^-2)^) (24) 

with fc some positive constant. Comparing this expression with (22), we see that (3n decreases 
exponentially faster than €n whenever 



The value of 5 is found reading through Ref. [7]. For the 2-bases protocol, the probability 
that Eve guesses correctly is independent of the correlation Alice-Bob, so S 2 — F E given by 

For the (d+l)-bases protocols, 5d+i = (F + Fe — 1)/F, where F E = 1 — ^-(w — z) 2 . Inserting 
these values into (25), we find after some algebra that the condition is satisfied precisely for 
D < D ED given by (21), resp. (18). Thus, our advantage distillation protocol works at least 
up to D ED . 

3.3. Intrinsic information at D = D ED for d = 3 

In this subsection, we want to prove that the intrinsic information (15) of P(A, B, E) goes 
to zero at D = D ED , when Eve applies the measurements of Ref. [7]. As said above, this 
quantity provides an upper bound for the amount of secret bits the honest parties can extract 
from a probability distribution. Since pab at D = D ED is separable, we already know that 
there exists a measurement for Eve such that I(A : B J. E) = for all Alice's and Bob's 
measurements [21]. Thus, the state is completely useless for establishing a key. Here, we 
study whether the measurements maximizing Eve's mutual information are also optimal from 
the point of view of the intrinsic information, when D = D ED . We shall give the complete 
proof only for d = 3, but we start with general considerations. 

After basis reconciliation, Alice, Bob and Eve share the probability distribution P(a, 6, e a , x), 
that can be found reading through Ref. [7] — recall that \ = b — a deterministically. For the 
2-bases protocol, we have: 

P(a,b = a,e a = a,0) = FF E /d 

P(a,b = a,e a ^ a,0) = FD E /d , . 

P(a,b^a,e a = a,b-a) = DF E /d [ 1 

P(a,b 7^ a,e a 7^ a,b — a) = DD E /d. 
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For (d + l)-bases protocols, writing A = (F + Fe — 1)/F, we have: 

P(a, b = a,e a — a, 0) 
P(a,b = a, e a ^ a,0) 
P(a, b 7^ a, e a = a, & — a) 
P(a, b ^ a, e a =/= a,b — a) 

For both these distributions, the conditional mutual information is I(A : B\E) ^ 0. We are 
looking for a classical channel C that Eve could apply to her information 

C : E = {(e a , X )} - E = {u} (29) 

in such a way that /(A : B\E) = [24]. The channel is defined by the probabilities C(u\e a , \) 
that the symbol (e a ,\) of E is sent onto the symbol u of E. Of course, these probabilities 
fulfill the condition C(w|e a , x) = 1- The new probability distribution for Alice, Bob and 
Eve is given by 

P(a,b,u) = C(u\e a ,x)P(a,b,e a , X ), (30) 

e a ,chi 

whence conditional probabilities P(a,b\u) are obtained in the usual way. 

At this stage, we know of no systematic way of finding the channel that minimizes I(A : 
B\E), so we shall try to describe our intuition. Basically, one must keep in mind that I(A : 
B\E) — if and only if P(a, b\u) is in fact the product probability P(a\u)P(b\u). In particular, 
identities like 



FX/d 

D/d 
0. 



(28) 



P(a,b\u)P(a',b'\u) = P(a,b'\u)P(a' ,b\u) (31) 

should hold for all values of the symbols. 

For d — 3, we tried the "simplest" form of the channel and verified that it gives indeed 
I(A : B\E) = for D = D ED . It is defined as follows: 

• The symbol E is a trit: 

E = {u ,ui,u 2 } . (32) 



When Eve has introduced no error (x = 0), Eve's guess is sent deterministically on the 
corresponding value of the trit: 

C(u k \e a , X = 0) = 4,e a . (33) 



• When Eve has introduced some errors, Eve's guesses are mixed according to the following 
rule: 

C(u k \e a , X ^0) = l_ 2c ; . (34) 
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The value of the parameter c was found on the computer. For the 2-bases protocol, we found 
c w 0.4715; for the 4-bases protocol, c w 0.4444. 

4. The CK bound and the violation of Bell's inequalities 

As we said, although strictly speaking a secret key can be extracted for D < D AD , in practice 
the extraction can be made efficiently only for D < D , and this criterion is the most 
studied in the literature. The value of D CK for the protocols we are considering is given 
in Rcf. [7]. For 2-bases protocols, D% K = \ (l - = \D AD . For the (d + l)-bases 
protocols, it is cumbersome to give a closed formula for D^ l7 but it is slightly larger than 
D2 K - in other words, (d + l)-bases protocols are more robust than 2-bases protocols also if 
one considers the CK bound. 

We saw in the previous Section that D AD = D ED : advantage distillation is tightly linked 
to entanglement distillation. According to this intuition, one expects D CK to be linked to 
entanglement distillation using one-way communication [25]. As far as we know, there arc 
few results in this direction. Remarkably, the bound D CK also seems to be linked with 
the violation of a Bell's inequality, but it is unclear whether this link is as tight as (14), 
because it is a hard problem to characterize all the Bell's inequalities. More precisely, the 
state-of-the-question is described by the following 

Statement: Define the two bounds: (i) I {A : B) > min [l(A : E),I(B : E)] for D < D CK , 
and (it) Pab(F) violates a Bell's inequality for D = 1 — F < D BeU . Then, for any d, for both 
the 2-bases and the the (d + l)-bases protocols, and for all known Bell inequalities, it holds 



In words: if the state pab violates a Bell's inequality, then certainly the correlations can be 
used to extract a secret key in an efficient way. This is one of the situations in which Bell's 
inequalities show themselves as witnesses of useful entanglement. 

We start with a review of the d = 2 case. Consider first the 2-bases protocol. Writing as 



usual = ^(|00) ± |11)) and = ^(|01) ± |10>), the state (19) becomes F 2 P$+ + 

F(l - F) [P t - + iV] + (1 - F) 2 /V , that is 



with t x = t z = 2F — 1 and t y = — (2F — l) 2 . Applying the Horodeckis' result [26], the 
expectation value for the CHSH-Bell operator [27] with the optimal settings is given by S = 
y/tl + t 2 z = (2F - 1)V2. The Bell inequality is violated for S > 1, that is for F > \(1 + -^), 
that is again for D < D BeU = i(l - = D CK . So for the qubit protocol the equality holds 
in (35). 

This seems to be no longer true when we move to the 3-bases protocol (six-states protocol). 
The state (17) has the same form as (36), with t x — t z = —t y = 2F — 1. The condition for 
the violation of the CHSH-Bell inequality is then exactly the same as before, so we find again 
£)Bell _ _ y g ut £ or tne s ix_ s tates protocol, the bound D CK is slightly larger than 
this value. 



jjBell < jjCK 



(35) 




(36) 



k—x,y,z 
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One might start questioning the choice of the inequality. In the CHSH inequality [27], 
Alice and Bob choose each among two possible settings. For this reason, the inequality seems 
suited for the 2-bases protocol (although the settings are not the same ones), while for the 
3-bases protocol one should find an inequality with three settings per qubit. Recently, the 
complete characterization of all the inequalities with three settings of two outcomes per side 
has been achieved [28, 29]. None of these inequalities fills the gap between D CK and D BeU . 

Moving now to the d > 2 case, the knowledge is even more vague. Good Bell's inequalities 
for two entangled qudits for d > 2 have been found only recently [30, 31]. When applied to our 
problem, all these inequalities give D Bel1 < D CK both for the 2-bases and the (d + l)-bases 
protocols. Note that the inequality with two settings per qudit of Collins et al. [30] is in some 
sense optimal [29, 32]. 

5. Concluding remarks 

In this article we have studied the relation between quantum and classical distillation proto- 
cols for quantum cryptography. We have shown that classical and quantum key distillation 
protocols work up to the same point or disturbance for the schemes using two and d+ 1 bases, 
when individual attacks based on cloning machines are considered. Indeed, this equivalence 
has been recently extended in Ref. [33] to all two-qubit entangled states, and therefore to all 
the so-called one-copy distillable states (which include the states studied in this article), and 
to all individual attacks. We would like to conclude the present work with a list of several 
open questions connected to many of the points raised here. The solution of any of them will 
provide more insight into the relation between classical and quantum distillation protocols 
for quantum key distribution. 

• The first open question concerns of course the validity of our results when some of the 
assumptions made for Eve are relaxed. Although these assumptions seem very reason- 
able taking into account present-day technological limitations, they are quite strong 
from a theoretical point of view. First, one may wonder what happens if Eve changes 
her attack, still individual, from symbol to symbol. In this more general scenario, the 
so-called collision probability provides the honest parties with a bound on the amount 
of privacy amplification needed for distilling a secure key [4, 34] . One can also consider 
collective attacks where Eve interacts with more than one qudit [35] . Or even if the in- 
teraction is done symbol by symbol, she may delay her final measurement until the end 
of the classical communication between the honest parties [36]. In all these situations, 
the eavesdropper is more powerful than in this work, so they clearly deserve further 
investigation. 

• Another open question is the validity of the conjecture that the cloning machines defined 
above provide really the optimal individual eavesdropping, also for d > 3. While this 
seems very plausible for the (d+ l)-bases protocols, also when the Theorem (14) of this 
paper is taken into account, some doubts can be raised for the 2-bases protocols. In 
these protocols, the second basis has always been defined as the Fourier-dual basis of the 
computational basis. For d — 2 and d — 3 this is not a restriction, since the following 
holds: for any B\, B 2 and B 3 mutually maximally conjugated bases, there exist a unitary 
operation that sends the pair (Bi,B 2 ) onto the pair (Bi,B 3 ). For eavesdropping on QC, 
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this means that the cloning machines C\ 2 and C13 that are optimized for, respectively, 
(Bi,B 2 ) and (Bi,B 3 ), are equivalent under a unitary operation, so in particular have 
the same fidelity and define the same bounds. For d > 3 however, it is in general 
impossible to link (Bi,B 2 ) to (Bi,B 3 ) with a unitary operation [37]. This opens some 
intriguing possibilities: for instance, it might turn out that some pairs of mutually 
conjugated bases are more difficult to clone than others, and are therefore more suitable 
for cryptography. Recent results [38] suggest that this may not be the case and that 
all pairs of mutually conjugated bases may be equivalent for quantum cryptography, 
although this is still an open question. 

• A related open question concerns the choice of Eve's strategy. As mentioned explicitly, 
we have always supposed in this paper — as is done, to our knowledge, in most of the 
papers on QC — that Eve's best individual attack is the one that maximizes Eve's 
information at any given error rate induced on the correlations Alice-Bob. But Eve 
might have a different purpose; for instance, since after all the security of QC cannot 
be beaten, she might be willing to decrease the robustness. Thus, she may decide 
to apply the attack that introduces the minimal disturbance and lowers the intrinsic 
information of the resulting probability distribution. This is also connected to the 
security of quantum channels. Indeed, from the cryptography point of view, Eve's 
attack completely defines a channel. Therefore, when does a given channel allow for 
a secure key distribution, assuming that all the errors are due to the presence of an 
eavesdropper? Recent results in [33] suggest that only those channels that allow to 
distribute distillablc entanglement are secure. 

• The last question deals with more quantitative aspects. In Section 3, we have shown that 
two protocols for extracting a secret key, namely "measurement followed by advantage 
distillation" and "entanglement distillation followed by measurement" , work up to the 
same error rate. However, one of these two strategies might turn out to have a better 
yield than the other one. This is a complicated problem since, for both advantage 
distillation and entanglement distillation, the optimal protocols are not known. 



Note added in proof: The same results as in section 3 have been simultaneously and 
independently found in Ref. [39]. There, the analysis is restricted to d+ 1-bases protocols. 
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7. Appendix A 

In this Appendix, we describe the efficient numerical calculation used to demonstrate that 
Pab(F) for the 2-bases protocol is PPT (see paragraph ). 
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When one resorts to numerical methods, the first idea would be to use the brute force 
of the computer: write a program that takes pab(F) = P, computes p TA = M and finds its 
minimal eigenvalue. But M is a d 2 x d 2 matrix, and since it has a nice structure one can do 
much better. Actually, we show below that M is actually block-diagonal, with d blocks of 
dimension dxd. For odd d, all the blocks are identical; for even d, two different blocks appear, 
each in | copies. Having noticed that, one has to find numerically the minimal eigenvalue of 
one or two dxd real matrices, and this scales much better than the brute force method. Based 
on this result, we could very easily check that pab(F) is PPT up to d = 200, this number 
having no other meaning than the fact that one must stop the computation somewhere — 
anyway, it is unlikely that a QC protocol using entangled states of two 200-levels systems will 
ever be of any practical interest. 

To study the structure of M — p T A A B , we take the partial transpose of (20): 



(kk\M\kk) 
\kk'\M\kk') 
\kk'\M\k' k) 
(kk'\M\jf) 



A 
B 
B' 



(37) 



with A= f , B 



v b' 



ESlpLL and C = Recall that B = B' for F = F: we must 



prove that the minimal eigenvalue of M is negative if and only if B < B' . From (37) it is 
then clear that M is composed of d blocks dxd, because these four relations show that only 



the (kk'\M\jf) with k 
and the 2 x 2 blocks 



k' = j + j' are non-zero. Explicitly, defining the vector c = (C C) 



A C 
C A 



B 



B B' 
B' B 



C 



c c 
c c 



one finds the following structure for M: 
odd d: all blocks are identical to 



(Ac 
c T B 



c 
C 
C B 



V c T C C 



C 

c 



(38) 



even d: the | blocks characterized by k + k' even are equal to 



/ A 


c 


C . 


. C 


c 


B 


C . 


. C 


c 


C 


B . 


. C 


V c 


C 


C . 


. B 



(39) 
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the | blocks characterized by k + k' odd are equal to 



/ B 


c 


c . 




C 


B 


c . 


. c 


C 


C 


B . 


. c 


V c 


c 


C . 


• B ) 



So these are the d x d matrices whose minimal eigenvalue is to be found. 



8. Appendix B 

In this appendix we show how to numerically prove the separability of the states pab (F) for 
the 2-bases protocol. Note that all the states P ab(F) are diagonal in the Bell basis {\B m n )} 
(13). This turns out to be the crucial point in our demonstration. Indeed, it is very plausible 
that PPT is a necessary and also sufficient condition for the separability of Bell diagonal 
states, but we are not aware of any proof of that. 

Any density matrix, p, can be brought into a Bell diagonal form by a sequence of lo- 
cal operations assisted with classical communication (LOCC). This is done by the following 
depolarization protocol 

W = Y,^ U ^® U kn)p{U m ,n®U* m J , (41) 

m,n 

that makes the transformation 

m,n \B m ,n){Bm,n\ , (42) 

m,n 

where X m , n — (B m , n \p\B m . n ) . Thus, the overlaps with the Bell states for the initial and the 
depolarized state are the same, they are not changed by V. 

We consider a subset of the set of separable pure states in <C d <g> C d parameterized as 

IV.) = iv> ® m ■ (43) 

Note that these states depend on 2d — 2 parameters, instead of the 2(d — 2) needed for a 
generic separable pure state. We look for those \ip s ) minimizing the function 

/(V.) = ]T(| am ,„(F)| 2 - |(B m ,„|^)| 2 ) 2 . (44) 

m.n 

After some computer runs, we always find (up to d = 15) a state \^j s ) such that /(V> s ) — 0, 
which means that |(-B m , n |V' s )| ~ |a mi „(F)|. Therefore, after applying the depolarization 
protocol to this state, one obtains 

PAB (F)~V{\$ a )$ a \), (45) 



which means that P ab{F) is separable. 
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